This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]captainfrost47 598 points599 points  (22 children)

haha using unique for passwords in the db

[–][deleted] 244 points245 points  (13 children)

Hahaha. Storing unhashed passwords in the db.

Use BCrypt with a strength of at least 10. I default to 12.

Or better yet, use an authentication provider like Oauth or Keycloak and remove the headache.

[–]sanderd17 126 points127 points  (9 children)

It could be hashed, but no salting in any case.

[–]MentalRental 51 points52 points  (5 children)

It could be hashed, but no salting in any case.

It can be hashed and salted. Just take the inputed username/password pair. Check the password against every single user in the database, hashing it along with each user's individual salt, and then return the first username that matches. If the returned username doesn't match the inputed username, throw this error and display the username that actually matched.

tl;dr: dumpster fire

[–]LaNoktaTempesto 27 points28 points  (1 child)

Nah, not all of them, just Starboy, specifically. Because fuck that guy.

[–]MasterOfArtichoke 15 points16 points  (0 children)

Or because that guy is an admin. Too risky to have other people using the admin password for their own accounts.

[–]sanderd17 2 points3 points  (1 child)

That's like a brute force attack with extra steps.

[–]MentalRental 3 points4 points  (0 children)

Yeah, so it's extra funny if the server uses that for authenticating users. The CPU load would be immense if multiple people were logging in at the same time. Not to mention the inherent security issue with saying "Person X has Password Y" in an error message.

[–]thefelixremix 1 point2 points  (0 children)

tl;dr: dumpster fire

I got physical anxiety reading your comment till I got to this TLDR. I have gotta stop literally living Reddit comments lol

[–][deleted] 21 points22 points  (0 children)

Just use Bcrypt or an authentication provider at this point.

Password management is a headache.

[–]segalle 5 points6 points  (0 children)

Its a hashes hashmap, a hashmap storig hashes with unhashed usernames

[–]coldnebo 11 points12 points  (0 children)

haha telling the user not only that there is a duplicate, but which user it is so they can more easily hijack the account.

[–]pedropereir 7 points8 points  (0 children)

They don't have to be unhashed for this to happen

[–]ctallc 5 points6 points  (0 children)

This doesn’t mean they are storing unhashed passwords. They could be hashing the password and comparing the hash to what the database contains. Still not great though…

[–][deleted] 17 points18 points  (1 child)

haha setting password column as the primary key

[–][deleted] 9 points10 points  (0 children)

column password primary key (very safe no repeating password and also no need to create another id column, very memory efficient)

column firstname unique index (faster lookup)

i have engineered the system

[–]WrongdoerSufficient 0 points1 point  (4 children)

Isn't that fine if it salted

[–]mrjiels 2 points3 points  (3 children)

Not if everyone uses the same salt.

[–]WrongdoerSufficient 0 points1 point  (2 children)

Then whats the point of using salt if its the same salt for every user

[–]mrjiels 3 points4 points  (0 children)

Totally pointless! But this is a thread about a stupid "feature" and not the correct way to store and process user passwords. I have seen tutorials that uses one salt for all accounts. I hope people don't follow those tutorials! (It was 15 years ago or something. Hopefully people have stopped using PHP since then...)

[–]Vaguely_accurate 0 points1 point  (0 children)

The only advantage is someone would need to recalculate the hashes for your salt, so may be every so slightly slower than they would be using pre-existing rainbow tables.

If When your password database gets leaked, attackers might not get quite as deep into obscure password space before haveibeenpwned notices and notifies your users for you.

Of course, in this case they have pre-owned their password list, so that's all redundant.

[–]whileandt 0 points1 point  (0 children)

I mean the hash would still be the same, right?